Jump to content
Blue452

Adware.WebHancer

Recommended Posts

Can anyone attach a copy of the file "C:\WINDOWS\Web\Wallpaper\welcome\AWhelper.dll", so we can review this again?

Thanks

We will remove detection temporary and re-add again if needed (after review).

I tried and your system says I am "not allowed to upload this type of file".

I am trying again on this post.

Share this post


Link to post
Share on other sites

Sorry I've unzipped before but, never zipped. I don't think I even have the application.

Share this post


Link to post
Share on other sites

To zip a file, rightclick the file and select "send to " > Compressed (zipped) folder.

This will create a new file in that directory with the name AWhelper.zip

It's that what you have to attach here. :)

Share this post


Link to post
Share on other sites

@ miekiemoes,

I'll attach mine.

I searched my registry last night for awhelper entries, and there are several of them. It made me think that this item actually did come preinstalled on the computer.

Share this post


Link to post
Share on other sites

Ok thanks. Detection has been removed in a meanwhile. It will be re-added if needed (if it's a "critical" adware component). If harmless, then no need to re-add detection.

In either way, if you already deleted it, there's nothing to worry about as this wont break anything. After all, some other scanners have been detecting this files for months.

Share this post


Link to post
Share on other sites

Sorry, I had connection problems, then got logged out.

Anyways thanks for the zip lesson and here is the zipped file to compare with Amethyst's.

AWhelper.zip

Share this post


Link to post
Share on other sites

Oh, in case this means anything, I have run MB full scan a couple time since reporting here and AWhelper.dll is still detected as MW but, those registry entries it caught then (listed in my previous post) have not been reported since. ???

Share this post


Link to post
Share on other sites

Can you post a developers scan log please?

1. Click the Start Menu.

2. Click Run.

3. Type in "mbam.exe /developer", without the quotes.

4. Run the same type of scan you did before and save the logfile and post it.

Never mind, it should be fixed in next update. It wasn't in this one yet. :)

Share this post


Link to post
Share on other sites

Per your advice, I downloaded the latest DB and ran a full scan. AWhelper.dll and two system restore files were found to be Adware.WebHancer infected.

Share this post


Link to post
Share on other sites

No change:

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3947

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

4/2/2010 12:25:01 PM

mbam-log-2010-04-02 (12-25-01).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 187325

Time elapsed: 30 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP444\A0092157.dll (AdWare.WebHancer) -> No action taken.

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP445\A0093043.dll (AdWare.WebHancer) -> No action taken.

C:\WINDOWS\Web\Wallpaper\welcome\AWhelper.dll (AdWare.WebHancer) -> No action taken.

Share this post


Link to post
Share on other sites

I don't mean to beat this horse to death but, I have a couple dozen System Restore points going back to Feb. and yet MB is only picking up, what I presume to be the offending AWhelper.dll file, in two of them. Is MB basing it's finding on attributes instead of file content? Sorry, just a curious thought here.

p.s. Was DB ver. 3947 suppose to fix the false positive?

Share this post


Link to post
Share on other sites

I'm getting a detection as well for 3947. I'm just navigating to awhelper.dll and I get the detection popup from MWB.

Share this post


Link to post
Share on other sites

Yes, I know. 3947 didn't include this fix yet - but included some critical malware detections instead, please be patient. :)

Share this post


Link to post
Share on other sites
To those of you who have quarantined the related registry entries, can I clarify this: You have rebooted your systems since and your computers are fine? Is that correct?

In answer to Amethyst's post #25, I currently have these items in quarantine as shown below and upon reboot/shutdown, my computer is fine. We always turn off the computer when not in use and so far, no problems.

Registry Keys Infected:

HKEY_CLASSES_ROOT\TypeLib\{661e32fd-a5f0-49bc-96cc-d872fe10a7dc} (AdWare.WebHancer) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{3296405e-e08f-4442-801e-3dcd2c6aa82c} (AdWare.WebHancer) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{bf0118d4-63ff-4138-9327-f3028fb1a578} (AdWare.WebHancer) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\Web\Wallpaper\welcome\AWhelper.dll (AdWare.WebHancer) -> Quarantined and deleted successfully.

HP Computer

XP, SP3

IE8

Share this post


Link to post
Share on other sites

Thanks for your feedback, Blue452.

It looks like with DB 3948, this is no longer being detected as malware. Thank you, Miekiemoes. :)

Share this post


Link to post
Share on other sites

I sure hope my posts made sense and I haven't offended anyone. I don't want to be a pain but, A question w/o an answer makes me lose sleep. lol Anyway here goes again; Can one rely on the dates Windows Explorer displays? I just want to know if a file can be modified or one added on the Windows file system without the dates reflecting that operation? I know it sounds like a MS question but, I have asked before on other forums and have not received a definitive answer.

Thanks for allowing me to post here.

Also, I ran MB scan this a.m. with DB 3949 and all's quiet on the southeastern front.

Share this post


Link to post
Share on other sites
I just want to know if a file can be modified or one added on the Windows file system without the dates reflecting that operation?
yes, that happens frequently

Share this post


Link to post
Share on other sites

My question: Since the latest database is currently no longer flagging these files and I have these files in quarantine, would you recommend that I restore them or just leave them in quarantine for now? I'm not sure what to do.

Thank you.

Registry Keys Infected:

HKEY_CLASSES_ROOT\TypeLib\{661e32fd-a5f0-49bc-96cc-d872fe10a7dc} (AdWare.WebHancer) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{3296405e-e08f-4442-801e-3dcd2c6aa82c} (AdWare.WebHancer) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{bf0118d4-63ff-4138-9327-f3028fb1a578} (AdWare.WebHancer) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\Web\Wallpaper\welcome\AWhelper.dll (AdWare.WebHancer) -> Quarantined and deleted successfully.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.